Re: Constantly Changing CVVs Could Prevent Fraud

"The new cards have a small screen displaying a three-digit number, which replaces the usual static code on the back. A small lithium battery powers the system, and an algorithm determines when to change the code on display."

"The refresh rate will also affect the life of the card — a 60-minute refresh interval drains it after four years.."

"Once it nails down the ideal refresh rate through this pilot trial, PNC plans to take the technology wide"

It seems to me that - if this idea were designed to prevent fraud - than the ideal refresh rate would simply be... to change the code after each transaction.

But, as already mentioned, this whole idea would cause major problems for anything setup on autopay. Which is why unique credit card numbers is better for autopay, and for that matter, online purchases; because it allows the consumer to control payment access.

Randomly changing the CVV code all the time just makes it harder for the consumer to re-use the card with each merchant... which is really just creating an additional unnecessary burden for the consumer.

This new tech is looking for a solution to a problem that doesn't even exist; and would more than likely cause more glitches and hold-ups than it would solve.

Also, How would the online system even know which CVV number the card just changed to? - If the card is not connected to the web, than it would have to be setup on a rotating pattern... that both the system and the card followed. Anytime there is a pattern, we're talking data breach city; because eventually the pattern would be figured by hackers.

A better idea would be to simply scan the Iris of the Eye to verify transactions; because, no two people have the same Iris. This way, there would only need to be a camera present to scan the eye. The actual credit card - or swiper - wouldn't need to be present, or even exist in physical form. The point is to verify the consumer in question. Then, the consumer could select any one of their accounts, and verify with their Iris. Consumers would be able to scan their own eye, with their smart phone, or use a scanner at the register to check out. Done and done.

We could also start with fingerprints, but scanning the eye (from afar) is better for sanitary reasons. The scanner would not need to come into contact with the consumer, whereas, a fingerprint scanner would need to be touched by everyone, and could easily spread germs.

Naturally, there would always need to be a backup system, where the consumer could simply pull out their ID card, or their credit card, to verify purchases.

A TOTP uses the HOTP algorithm to obtain the one time password. The only difference is that it uses “Time” in the place of “counter,” and that gives the solution to our second problem.

That means that instead of initializing the counter and keeping track of it, we can use time as a counter in the HOTP algorithm to obtain the OTP. As a server and phone both have access to time, neither of them has to keep track of the counter.

The mobile app encodes the time using a pre-shared secret key (usually a QR Code scan gets this into the app), and sends it to the server, which looks up that particular user's secret key key and encodes the current time itself, then compares. The time can be anything within a 30 second (or some other) interval - it does not have to match exactly with what the client sent.

Now, technically, if you get the secret key from the user's phone you can get access to whatever TOTP is protecting, but that will only work for that particular user - not the rest of the system. It's an awful lot of work to hack just one person.

A TOTP uses the HOTP algorithm to obtain the one time password. The only difference is that it uses “Time” in the place of “counter,” and that gives the solution to our second problem.

That means that instead of initializing the counter and keeping track of it, we can use time as a counter in the HOTP algorithm to obtain the OTP. As a server and phone both have access to time, neither of them has to keep track of the counter.

The mobile app encodes the time using a pre-shared secret key (usually a QR Code scan gets this into the app), and sends it to the server, which looks up that particular user's secret key key and encodes the current time itself, then compares. The time can be anything within a 30 second (or some other) interval - it does not have to match exactly with what the client sent.

Now, technically, if you get the secret key from the user's phone you can get access to whatever TOTP is protecting, but that will only work for that particular user - not the rest of the system. It's an awful lot of work to hack just one person.

So basically, it's more simple than a random pattern. It's based on time. Something that any two bit hacker can figure. Now, that's an oversimplification to be sure; but, a 3 digit code is not going to be anywhere near as difficult to hack as a 6 digit one. It's light years apart.

The main point though, is that there's not really a whole lot of value in all of this obfuscation, at least for consumers. This protects the issuer, far more than the consumer. The consumer still has the card in their possession - to be potentially stolen and hacked. Still, it fails to account for autopay, as well.

Re: Constantly Changing CVVs Could Prevent Fraud

So basically, it's more simple than a random pattern. It's based on time. Something that any two bit hacker can figure. Now, that's an oversimplification to be sure; but, a 3 digit code is not going to be anywhere near as difficult to hack as a 6 digit one. It's light years apart.

It's based on time, PLUS the main security ingredient: the pre-shared key. Without this key a hacker has nothing. They will just be sending randomly encoded time values that never match with what the server generates. They'll be locked out in 3 attempts or less anyway, without locking out the real authorized user.

The main point though, is that there's not really a whole lot of value in all of this obfuscation, at least for consumers. This protects the issuer, far more than the consumer. The consumer still has the card in their possession - to be potentially stolen and hacked. Still, it fails to account for autopay, as well.

I like the virtual credit card number idea the best. You make some valid points.

Re: Constantly Changing CVVs Could Prevent Fraud

"The new cards have a small screen displaying a three-digit number, which replaces the usual static code on the back. A small lithium battery powers the system, and an algorithm determines when to change the code on display."

"The refresh rate will also affect the life of the card — a 60-minute refresh interval drains it after four years.."

Considering that 99% of the time, the issuer takes the loss....Yeah, that's pretty much a given.

This pilot program may or may not be the answer. It may or may not put a dent into the problem. But expecting consumers to freeze and unfreeze after each and every use of each card just aint gonna happen.

IMPORTANT INFORMATION: All FICO® Score products made available on myFICO.com include a FICO® Score 8, along with additional FICO® Score versions. Your lender or insurer may use a different FICO® Score than the versions you receive from myFICO, or another type of credit score altogether. Learn more about other FICO Score versions.

FICO, myFICO, Score Watch, The score lenders use, and The Score That Matters are trademarks or registered trademarks of Fair Isaac Corporation.
Equifax Credit Report is a trademark of Equifax, Inc. and its affiliated companies.
Many factors affect your FICO Scores and the interest rates you may receive. Fair Isaac is not a credit repair organization as defined under federal or state law, including the Credit Repair Organizations Act. Fair Isaac does not provide "credit repair" services or advice or assistance regarding "rebuilding" or "improving" your credit record, credit history or credit rating.
FTC's website on credit.

IMPORTANT INFORMATION: All FICO® Score products made available on myFICO.com include a FICO® Score 8, along with additional FICO® Score versions. Your lender or insurer may use a different FICO® Score than the versions you receive from myFICO, or another type of credit score altogether. Learn more about other FICO Score versions.

FICO, myFICO, Score Watch, The score lenders use, and The Score That Matters are trademarks or registered trademarks of Fair Isaac Corporation. Equifax Credit Report is a trademark of Equifax, Inc. and its affiliated companies. Many factors affect your FICO Score and the interest rates you may receive. Fair Isaac is not a credit repair organization as defined under federal or state law, including the Credit Repair Organizations Act. Fair Isaac does not provide "credit repair" services or advice or assistance regarding "rebuilding" or "improving" your credit record, credit history or credit rating. FTC's website on credit.